This week, FedRAMP published two Q&A’s; one for Agencies and one for Cloud Service Providers(CSPs):
Q: My Agency is pursuing an authorization for a Software-as-a-Service (SaaS) solution. Does the underlying layer of the system stack also need to be authorized?
A: The “system stack” generally refers to the layers of services in the data center that are included in the cloud service offering, typically defined as a Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS). When authorizing a SaaS solution, the underlying stack of services that support it must also be authorized according to the appropriate FedRAMP baseline. As an example, for a SaaS being authorized at the Moderate baseline, the underlying PaaS and IaaS layers must also be authorized at Moderate (or High), and each component (SaaS, PaaS, IaaS) must have its own authorization boundary and its own ATO letter.
Cloud Service Providers (CSPs)
Q: In the FedRAMP Continuous Monitoring Monthly Executive Summary, what information should I include in the “Items of Note” and “Issue Remediation” sections?
A: Use the “Issue Remediation” section to provide an explanation and remediation evidence for issues that the you or the FedRAMP PMO identified (e.g., un-authenticated scans threshold exceeded, unique vulnerability, etc.).
In the “Items of Note” section, include the following information:
- Status of Annual Assessment – Provide the status from your perspective.
- Details of vulnerability spike if present (see Continuous Monitoring Performance Management Guide) – Explain why the FedRAMP PMO would be seeing a unique or raw vulnerability spike this month if applicable.
- Details of Plan of Action and Milestones (POA&M) issues if present – Use this section to explain if you made changes to the POA&M, were unable to fill out certain columns, etc. If the FedRAMP PMO identifies POA&M issues, you can respond to those in this section.
- Late High Items (note pending deviations) – List all late items by POA&M ID and include Deviation Request (DR) status, remediation plan, explanation, etc. for each item.
- Late Moderate Items (note pending deviations) – List all late items by POA&M ID and include Deviation Request (DR) status, remediation plan, explanation, etc. for each item.
Read more about this week’s FedRAMP’s Tip and cues here